refactor(access): move some services to cf tunnels

2026-02-09 12:29:19 -08:00 · 2024-03-01 12:14:25 -08:00 · 2024-03-01 12:14:25 -08:00 · 9c6bbe8b82
commit 9c6bbe8b82
parent 49c31c1508
10 changed files with 118 additions and 7 deletions
--- a/docs/network.adoc
+++ b/docs/network.adoc
@ -11,6 +11,7 @@ include::{inc}attrs.adoc[]
 == Reserved IPv4 Addresses

 router:: `10.1.1.1`
+u7-pro:: `10.1.1.3`
 gensokyo:: `10.1.1.4`
 eientei:: `10.1.1.5`

@ -18,8 +19,6 @@ shanghai:: `10.1.1.32`

 hourai:: `10.1.1.36`

-tewi:: `10.1.1.38`
-
 tei:: `10.1.1.39`
 reisen:: `10.1.1.40`
 hakurei:: `10.1.1.41`
--- a/nixos/access/freepbx.nix
+++ b/nixos/access/freepbx.nix
@ -0,0 +1,71 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  inherit (lib.options) mkOption;
+  inherit (lib.modules) mkIf mkMerge mkDefault;
+  inherit (lib.lists) head;
+  inherit (lib.strings) splitString;
+  inherit (config.services) nginx tailscale;
+  access = nginx.access.freepbx;
+  freepbx = config.lib.access.systemFor "freepbx";
+in {
+  options.services.nginx.access.freepbx = with lib.types; {
+    url = mkOption {
+      type = str;
+      default = "http://${freepbx.access.hostnameForNetwork.local}";
+    };
+    domain = mkOption {
+      type = str;
+      default = "pbx.${config.networking.domain}";
+    };
+    localDomain = mkOption {
+      type = str;
+      default = "pbx.local.${config.networking.domain}";
+    };
+    tailDomain = mkOption {
+      type = str;
+      default = "pbx.tail.${config.networking.domain}";
+    };
+    useACMEHost = mkOption {
+      type = nullOr str;
+      default = null;
+    };
+  };
+  config.services.nginx = {
+    virtualHosts = let
+      proxyScheme = head (splitString ":" access.url);
+      extraConfig = ''
+        proxy_buffering off;
+
+        set $pbx_scheme $scheme;
+        if ($http_x_forwarded_proto) {
+          set $pbx_scheme $http_x_forwarded_proto;
+        }
+        proxy_redirect ${proxyScheme}://$host/ $pbx_scheme://$host/;
+      '';
+      locations = {
+        "/" = {
+          proxyPass = access.url;
+        };
+      };
+    in {
+      ${access.domain} = {
+        vouch.enable = mkDefault true;
+        addSSL = mkDefault (access.useACMEHost != null);
+        kTLS = mkDefault true;
+        useACMEHost = mkDefault access.useACMEHost;
+        inherit locations extraConfig;
+      };
+      ${access.localDomain} = {
+        serverAliases = mkIf tailscale.enable [ access.tailDomain ];
+        useACMEHost = mkDefault access.useACMEHost;
+        addSSL = mkDefault (access.useACMEHost != null);
+        kTLS = mkDefault true;
+        local.enable = true;
+        inherit locations extraConfig;
+      };
+    };
+  };
+}
--- a/nixos/access/unifi.nix
+++ b/nixos/access/unifi.nix
@ -71,9 +71,11 @@ in {
        useACMEHost = mkDefault access.useACMEHost;
        inherit locations extraConfig;
      };
-      ${access.domain} = mkIf (access.global.enable || access.useACMEHost != null) {
+      ${access.domain} = {
        vouch.enable = mkDefault true;
-        forceSSL = mkDefault true;
+        local.enable = mkDefault (!access.global.enable);
+        forceSSL = mkDefault access.global.enable;
+        addSSL = mkDefault (!access.global.enable && access.useACMEHost != null);
        kTLS = mkDefault true;
        useACMEHost = mkDefault access.useACMEHost;
        inherit locations extraConfig;
--- a/systems/freepbx/default.nix
+++ b/systems/freepbx/default.nix
@ -0,0 +1,3 @@
+_: {
+  type = null;
+}
--- a/systems/hakurei/nixos.nix
+++ b/systems/hakurei/nixos.nix
@ -10,6 +10,7 @@
  tei = access.nixosFor "tei";
  inherit (mediabox.services) plex;
  inherit (tei.services) kanidm vouch-proxy;
+  inherit (config.services) nginx tailscale;
 in {
  imports = let
    inherit (meta) nixos;
@ -31,6 +32,7 @@ in {
    nixos.access.vouch
    nixos.access.kanidm
    nixos.access.freeipa
+    nixos.access.freepbx
    nixos.access.unifi
    nixos.access.kitchencam
    nixos.access.proxmox
@ -52,13 +54,13 @@ in {
      credentialsFile = config.sops.secrets.cloudflared-tunnel-hakurei.path;
      ingress = {
        "prox.${config.networking.domain}".service = "http://localhost";
+        ${nginx.access.freepbx.domain} = "http://localhost";
        ${config.networking.domain}.service = "http://localhost";
      };
    };
  };

  security.acme.certs = let
-    inherit (config.services) nginx tailscale;
    inherit (nginx) access;
  in {
    ${access.vouch.localDomain} = {
@ -108,6 +110,17 @@ in {
        ])
      ];
    };
+    ${access.freepbx.domain} = {
+      inherit (nginx) group;
+      extraDomainNames = mkMerge [
+        [
+          access.freepbx.localDomain
+        ]
+        (mkIf tailscale.enable [
+          access.freepbx.tailDomain
+        ])
+      ];
+    };
    ${access.proxmox.domain} = {
      inherit (nginx) group;
      extraDomainNames = mkMerge [
@ -146,7 +159,7 @@ in {
  };

  services.nginx = let
-    inherit (config.services.nginx) access;
+    inherit (nginx) access;
  in {
    access.plex = assert plex.enable; {
      url = "http://${mediabox.lib.access.hostnameForNetwork.local}:${toString plex.port}";
@ -168,6 +181,9 @@ in {
    access.freeipa = {
      host = "idp.local.${config.networking.domain}";
    };
+    access.freepbx = {
+      useACMEHost = access.freepbx.domain;
+    };
    access.kitchencam = {
      streamPort = 41081;
      useACMEHost = access.kitchencam.domain;
@ -183,6 +199,9 @@ in {
        forceSSL = true;
        useACMEHost = access.freeipa.domain;
      };
+      ${access.freepbx.domain} = {
+        local.enable = true;
+      };
      ${access.proxmox.domain} = {
        useACMEHost = access.proxmox.domain;
      };
--- a/systems/tei/cloudflared.nix
+++ b/systems/tei/cloudflared.nix
@ -73,6 +73,10 @@ in {
            host = config.services.zigbee2mqtt.domain;
            inherit hostName;
          })
+          (ingressForNginx {
+            host = config.services.nginx.access.unifi.domain;
+            inherit hostName;
+          })
          (ingressForHass {inherit hostName;})
          (ingressForVouch {inherit hostName;})
          (ingressForKanidm {inherit hostName;})
--- a/systems/tei/nixos.nix
+++ b/systems/tei/nixos.nix
@ -18,6 +18,7 @@ in {
    nixos.nginx
    nixos.access.zigbee2mqtt
    nixos.access.home-assistant
+    nixos.access.unifi
    nixos.vouch
    nixos.kanidm
    nixos.unifi
--- a/tf/cloudflare_records.tf
+++ b/tf/cloudflare_records.tf
@ -22,6 +22,7 @@ module "hakurei_system_records" {
    "ldap",
    "freeipa",
    "unifi",
+    "pbx",
    "smb",
    "kitchen",
    "yt",
@ -30,7 +31,6 @@ module "hakurei_system_records" {
    "plex",
    "idp",
    "ldap",
-    "unifi",
    "smb",
    "kitchen",
    "yt",
@ -118,6 +118,14 @@ module "kubernetes_system_records" {
  local_v6  = "fd0a::be24:11ff:fe49:fedc"
 }

+module "freepbx_system_records" {
+  source    = "./system/records"
+  name      = "freepbx"
+  zone_id   = cloudflare_zone.gensokyo-zone_zone.id
+  zone_zone = cloudflare_zone.gensokyo-zone_zone.zone
+  local_v6  = "fd0a::be24:11ff:fe33:1904"
+}
+
 module "kitchencam_system_records" {
  source    = "./system/records"
  name      = "kitchencam"
--- a/tf/cloudflare_tunnels.tf
+++ b/tf/cloudflare_tunnels.tf
@ -12,6 +12,7 @@ module "hakurei" {
  subdomains = [
    "@",
    "prox",
+    "pbx",
  ]
 }

@ -44,6 +45,7 @@ module "tewi" {
    "id",
    "login",
    "z2m",
+    "unifi",
  ]
 }

--- a/tf/proxmox_vms.tf
+++ b/tf/proxmox_vms.tf
@ -367,6 +367,7 @@ EOT

  network_device {
    bridge = "vmbr0"
+    mac_address = "BC:24:11:3D:39:91"
  }

  operating_system {
@ -492,6 +493,7 @@ EOT

  network_device {
    bridge = "vmbr0"
+    mac_address = "BC:24:11:33:19:04"
  }

  operating_system {